active directory - 4

7/27/2019 Active Directory - 4

1/15

1


2/15

2

Trust Relationships

Secure communication paths that allow objects

in one domain to be authenticated and accepted in other

domains

Some trusts are automatically created

Parent-child domains trust each other

Tree root domains trust forest root domain

Other trusts are manually created

Forest-to-Forest transitive trust relationships can be

created-Windows Server 2003 forests only


3/15

3

What Are Trusts?

Transitive trust sNontransitive trustsTransitive trust sNontransitive trusts

Trustcategories

One-way incoming trustOne-way o utgoing trustTwo-way trust

One-way incoming trustOne-way outgoing t rustTwo-way trust

Trustdirections

Five types of trusts: Default, Shortcut,External, Forest and RealmFive types of trusts: Default, Shortcut,External, Forest and RealmTrust types


4/15

4

Trust Relationships in Windows Server 2003

Default

Two-way- transitive Kerberos trusts (Intraforest)Shortcut

One or two-way transitive Kerberos trusts (Intraforest)Reduce authentication requestsExternalone way non-transitive NTLM trusts. Used to connectto/from Windows NT or external 2000 domainsManually created

Forest

One or two-way transitive Kerberos trusts. Onlybetween 2003 Forest Roots, Creates transitive domainrelationship

Realmone or two-way non-transitive Kerberos trusts

Connect to/from UNIX Kerberos realms


5/15


6/15

6

Default Trusts

A Default trust : A Default trust :

Aut omat ically Created

Transitive trust

Two-way transitive

Aut omat ically Created

Transitive trust

Two-way transitive

SOFT.COM

CCNA.ZOOM.CO MMCSE.Z OO M.COMNET.SOFT.COM

VB.NET.SOFT.COM MCP.MCSE.ZOOM.COM

ZOOM. COMFore st Root


7/15


8/15

8

An ex tern al t rus t i s: An ex tern al t rus t i s:

A tr ust th at is manually c reated between:

Two Active Directory domains located in dif ferent forests

An A cti ve Di rector y do main and a Windows NT 4.0 or ear lier domain

Nontransitive

One-way

A trus t that is manually cr eated b etween:

Two Active Directory domains loc ated in different forests

An A cti ve Dir ecto ry d omain and a Wind ows NT 4.0 or ear li er domain

Nontransitive

One-way

Forest 2

SAL ES .IBM.COM IT.IBM.COM

IBM.COM

External Trusts

ZOOM.COM

JAVA.SOFT.COM MCSE.Z OOM .COMNET.SOFT.COM

SOFT.C OM

Forest R oot

For est 1

External TrustExternal Trust


9/15


10/15

10

A realm t rus t: A r ealm t rus t:

Is a trust between aKerberos realm and an Act iv e Directo rydomain

Can be transitive or nontransitive

Can be one-way or two-way

Is a trust between aKerberos realm and an Act ive Direc tor ydomain

Can be transiti ve or nontransitive

Can be one-way or two -way

ZOOM.COM

Kerberos Realm

Realm TrustRealm Trust

CCNA.ZOO M.COMMCSE.Z OOM.COM

MCP.M CSE.ZOOM.COM

Realm Trusts


11/15

11


12/15

12

Domain and Forest Functional Levels

Functional levels determine

Supported domain controller operating system

Active Directory features will be available

Domain functional levels can be raised independently of

other Domains

Raising forest functional level is performed by

Enterprise Admin

Requires all Domain Functional levels to be at

Windows 2000 native or Windows Server 2003

functional levels


13/15

13

Windows 2000 Native Mode-No NT 4 DCs

Domain Controller (Windows Server 2003)

Domain Controller (Windows 2000)

Domain Functional Levels

Windows 2000 Mixed Mode-NT4, Windows 2000 or WS03 DCs

Domain Controller (Windows 2000)


Domain controller (Windows NT 4.0)


14/15

14

Windows Server 2003 Interim-No 2000 DCs

Domain controller (Windows NT 4.0)


Windows Server 2003 Server Level-All WS03 DCs



Domain Functional Levels


15/15

15

Windows Server 2003Windows Server 2003 Server

WindowsNT4.0,

Windows Server 2003Windows Server 2003 Interim

Windows NT4.0, Windows 2000,Windows Server 2003Windows 2000 (default)

Domain ControllersSupportedForest FunctionalLevel

Forest Functional Levels

active directory - 4

Documents